Cross hotels and resorts We collect, utilize, and disclose personal information strictly to perform our core business functions and activities, most importantly, making and managing travel bookings on your behalf.

We are deeply committed to safeguarding the privacy and confidentiality of your personal information/personal data. We implement and maintain comprehensive physical, electronic, and procedural safeguards to protect all personal information under our care.

This Privacy Notice (“Notice”) sets out how this Cross hotels and resorts business or application processes and protects the privacy of your personal information. It applies to all individuals.

For the purposes of the General Data Protection Regulation 2016/679 (“GDPR”) and any other applicable data protection laws of a similar nature, the Company acts as a “Data Controller” (or the equivalent term used within the relevant jurisdiction). This means that we determine the purposes for which, and the manner in which, your personal information is collected, used, stored, disclosed, and otherwise processed. This responsibility applies to all personal information you provide to us, or that we collect about you, in connection with the following activities:

• our provision of business travel products and services;  

• event management services;  

• the provision of leisure travel products and services; and 

• for the purpose of all our marketing activities. 

There may be instances where your local data protection laws impose more restrictive information handling practices than the practices set out in this Notice. Where this occurs, we will adjust our information handling practices in your jurisdiction to comply with your local data protection laws.

This Privacy Policy on the Use of Closed-Circuit Television (“CCTV Policy”) describes how Cross Hotels and Resorts, its subsidiaries, and affiliated companies (collectively referred to as the “Company,” “we,” “us,” or “our”) use CCTV devices and systems within and around our premises, buildings, and facilities.

The purpose of CCTV use is to protect life, health, safety, and property, as well as to safeguard the personal data of employees, directors, contractors, workers, guests, visitors, and any other individuals entering areas monitored by CCTV within our premises (collectively referred to as “you” or “your”).

This Policy explains how we collect, use, disclose, transfer, and protect information that can identify you (“Personal Data”) obtained through CCTV systems, and how such systems are managed and operated. We may amend this Policy from time to time and will notify you of any material changes, where reasonably possible.

2.1. Personal Data We Collect

We may collect and process recognizable moving or still images, audio recordings (where applicable), and images of your belongings (such as vehicles) when you enter areas monitored by CCTV within our premises, buildings, and facilities (“CCTV Data”).

2.2. Purpose and Legal Basis for Processing

We may collect, record, store, use, disclose, transfer, retrieve, alter, delete, or otherwise process CCTV Data for purposes including safety, security, prevention of crime, dispute resolution, legal compliance, and protection of legitimate business interests, based on lawful grounds permitted under applicable data protection laws.

2.3. CCTV Installation and Operation

CCTV devices are installed at appropriate locations and operate 24 hours a day, except during maintenance or technical issues. CCTV is not installed in private areas such as toilets or changing rooms. Clear signage is displayed in monitored areas.

2.4. Disclosure of Personal Data

CCTV Data is kept confidential and disclosed only to authorized affiliates, service providers, or authorities where required by law or necessary for safety and security purposes.

2.5. International Data Transfer

CCTV Data may be transferred outside Thailand where necessary, with appropriate safeguards in accordance with applicable data protection laws.

2.6. Security Measures

Appropriate technical and organizational measures are implemented to protect CCTV Data against unauthorized access, loss, or misuse.

2.7. Data Retention

CCTV Data is retained only for as long as necessary for the stated purposes or as required by law, after which it is securely deleted or anonymized.

2.8. Your Rights

You may have rights to access, correct, delete, restrict, or object to the processing of your Personal Data, subject to applicable laws.

2.9. Contact Information;

Cross Hotels and Resorts

10/125 Trendy Building, 11th Floor

Soi Sukhumvit 13, Sukhumvit Road

Klongtoey Nuea, Watthana

Bangkok 10110, Thailand

Email: dataprotection@crosshotelsandresorts.com

Personal information has the meaning given under your local data protection law and, where the  GDPR applies, the meaning of personal data given under the GDPR. Personal information generally  means information which relates to a living individual who can be identified from that information,  or from that information and other information in a person’s possession, including any expression of  opinion, whether true or not, and whether recorded in material form or not, about an identified or  reasonably identifiable individual, and any indication of intention in respect of an individual.  

Generally, the type of personal information we collect about you is the information that is needed to  facilitate your travel arrangements and bookings and to arrange travel related products and/or  services on your behalf.  

We therefore typically process the following types of personal information about you: • Identifiers 

• contact information (such as name, residential/mailing address, telephone number,  email address);  

• date of birth; 

• passport details, national identity card details, driver’s license details;  

• online identifiers (such as IP address, device data, and network information);

• loyalty program / frequent flyer details; 

3.1. Commercial Information, including records of products or services purchased, obtained, or  considered, or other purchasing or consuming histories or tendencies; 

3.2. Biometric information; 

3.3. Internet or other electronic network activity (such as the device and network you are using  to connect with us), as further described in section 12;  

3.4. Geolocation data;

3.5. Audio (such voice recordings for quality control, service improvement, training and dispute  resolution), electronic and visual information (such as video surveillance footage) used for  security purposes,

3.6. Professional or employment-related information;

3.7. Payment account information (credit/debit card details, including card type, card number,  security number and expiry date and other financial details necessary to process various  transactions);

3.8. Health information such as your dietary requirements and health issues (if any); and

3.9. Other details relevant to your travel arrangements or required by the relevant travel service provider(s) (e.g., airlines and accommodation or tour providers).

When you contact us for other purposes, we may also collect personal information about you in  relation to those purposes. For example, we may collect your personal information so we can contact you about a competition you have entered (e.g., if you win), or to respond to an enquiry or complaint  you have made, or feedback you have provided to us. We also collect information that is required  for use in the business activities of Cross hotels and resorts  and our related entities, including for example,  financial details necessary to process various transactions, and other relevant personal information  you may elect to provide to us.

In some circumstances, we may collect personal information from you which may be regarded as  sensitive information under your local data protection laws. Sensitive information may include  (without limitation) your racial or ethnic origin, philosophical or religious beliefs or affiliations, sexual  orientation, membership of political, professional or trade associations (for use in booking special  rates), biometric and genetic information, passwords, financial information and health information.  Please note that, when necessary for travel arrangements, we may collect from a responsible adult  personal information relating to a child of any age, but we do not knowingly collect any such  information directly from children.

We will only collect sensitive information in compliance with your local data protection laws, with  your explicit, voluntary consent and where it is reasonably necessary for, or directly related to, one  or more of our functions or activities (e.g., to provide travel-related products and services), unless  we are otherwise required or authorised to do so by law. To the extent permitted or required under  your local data protection laws, you voluntarily consent to us using and disclosing your sensitive  information for the purpose for which it was collected. For example, if you provide health information  to us in connection with a travel insurance application you would like to make, you voluntarily  consent to us using and disclosing that health information in connection with arranging that travel  insurance on your behalf. A further example is if you disclose your religious beliefs to us because  you are interested in, for example, certain holiday packages, in which case you voluntarily consent  to us using and disclosing that information in connection with facilitating your request. We will not  use or disclose sensitive information for purposes other than those for which it was collected, unless  we subsequently request and receive your voluntary consent to use it for another purpose.

We will only collect personal information in compliance with your local data protection laws. We usually collect your personal information directly from you during the course of your relationship with us. We will collect this information directly from you unless it is unreasonable or impracticable to do so.

Generally, this collection will occur: 

• when you deal with us either in person, by telephone, letter, email; 

• when you visit any of our websites; 

• when you use any of our apps; or  

• when you connect with us via social media.  

We may collect personal information about you: 

• when you purchase or make enquiries about travel arrangements or other travel-related  products and services;

• when you enter competitions or register for promotions;

• when you subscribe to receive marketing from us (e.g., e-newsletters);

• when you request brochures or other information from us; or

• when you provide information, or use our services, on social media.

Unless you choose to do so using a pseudonym or anonymously, we may also collect your personal  information (other than sensitive information) when you complete surveys or provide us with  feedback.

In some circumstances, it may be necessary for us to collect personal information about you from a  third party. This includes where a person makes a travel booking on your behalf which includes  travel arrangements to be used by you (e.g., a family or group booking or a travel booking made  for you by your employer). Where this occurs, we will rely on the authority of the person making  the travel booking to act on behalf of any other traveller on the booking.

Where you make a travel booking on behalf of another person(s) (e.g., a family or group booking or  a travel booking made for an employee), you agree to have obtained the voluntary and informed consent of the other person(s) for Cross hotels and resorts  to collect, use and disclose the other person's  personal information in accordance with this Notice and that you have otherwise made the other  person(s) aware of this Notice.

You should let us know immediately if you become aware that your personal information has been  provided to us by another person without your voluntary consent or if you did not obtain voluntary  consent before providing another person's personal information to us.

We make every effort to maintain the accuracy and completeness of your personal information which  we store and to ensure all your personal information is up to date. However, you can assist us with  this considerably by promptly contacting us if there are changes to your personal information or if  you become aware that we have inaccurate personal information relating to you (see section 15 below). We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient  or incomplete personal information that you, or a person acting on your behalf, provide to us.

Where the provision of services or other business processes is dependent upon you voluntarily  consenting to the collection and subsequent processing of your personal data, if you choose not to  provide your voluntary consent this may prevent us from providing specific services that rely upon  the collection of personal data, or otherwise impact the quality of the services, we can provide you.

Similarly, if you request that we restrict or stop using personal information we hold on you or  withdraw a voluntary consent you have previously given to the processing of such personal  information, this may affect our ability to provide services to you or negatively impact the services  we can provide to you. For example, most travel bookings must be made under the traveller's full  name and must include contact details and appropriate identification (e.g., passport details). We  cannot make bookings for you without that information.

Any voluntary consent you provide for the collection, use and disclosure of your personal data will  remain valid until such time as you withdraw your consent in writing. You may withdraw consent  and request us to stop collecting, using and/or disclosing your personal data by submitting your  request in writing using either the links provided in section 15, or by emailing/writing-to our Privacy  teams via the contact details provided in section 15. Please note that withdrawing consent does not  affect our right to continue to collect, use and disclose personal data where such collection, use and  disclosure without consent is permitted or required under applicable laws.

For the retention of personal data, we may retain your personal data for as long as it is necessary  to fulfil the purposes for which they were collected, or as required or permitted by applicable laws.  We will cease to retain your personal data, or remove the means by which the data can be associated  with you, as soon as it is reasonable to assume that such retention no longer serves the purposes  for which the personal data were collected, and are no longer necessary for legal or business  purposes.

We may disclose your personal information to certain overseas recipients, as set out below. We will  ensure that any such international transfers are necessary for the performance of a contract between  you and the overseas recipient, and/or are made subject to appropriate or suitable safeguards as  required by your local data protection laws (e.g., GDPR, China cybersecurity law, etc.).

Cross Hotels and Resorts, Corporate, Inc. (collectively) comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as established by the U.S. Department of Commerce. The Cross Hotels and Resorts USA corporate brands have certified to the U.S. Department of Commerce that they adhere to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

If there is any conflict between the terms in this Notice and the EU-U.S. DPF Principles, the Principles shall govern.

To learn more about the Data Privacy Framework (DPF) program and to view our certification, please visit the official DPF program website:

https://www.dataprivacyframework.gov/ commerce.gov 

The Cross Hotels and Resorts corporate brands shall remain liable under the DPF Principles if our agents process your personal information in a manner inconsistent with the DPF Principles, unless the Cross Hotels and Resorts USA corporate brands can demonstrate that they are not responsible for the event giving rise to the damage.

It is possible that information will be transferred to an overseas recipient (other than any of our  overseas related entities) located in a jurisdiction where you will not be able to seek redress under  your local data protection laws and that does not have an equivalent level of data protection as in  your jurisdiction. To the extent permitted by your local data protection laws, we will not be liable for  how these overseas recipients handle, store, and otherwise process your personal information.

We will ensure that any such international transfers are either necessary for the performance of a  contract between you and the overseas recipient or are made subject to appropriate or suitable  safeguards as required by your local laws.

We use key service providers located in India, Indonesia, Philippines, Hong Kong, USA, United  Kingdom, and Australia. We also deal with many different service providers all over the world, so it  is not possible for us to set out in this Notice all of the different countries to which we may send  your personal information. However, if you have any specific questions about where or to whom  your personal information will be sent, please refer to the “Feedback / Complaints / Subject Access  Requests / Contacts” section below (section 15).

(a) Our overseas related entities

Cross hotels and resorts  operate a global business, Your personal information may be disclosed to our overseas related entities in connection with  facilitation of your travel booking and/or to enable the performance of administrative, advisory and  technical services, including the storage and processing of such information. This includes enabling “single sign-on” allowing you to login to a shared account across our brands using a single set of  log-in credentials, which allows us to, for example, show your reservations and bookings made  through the websites, applications, and services of our group companies on your account page, and  allow our group companies to show information in your respective account(s) with them.

(b) Travel service providers located overseas In providing our services to you, it may be necessary for us to disclose personal information to  relevant overseas travel service providers. We deal with many different travel service providers all  over the world, so the location of a travel service provider relevant to your personal information will  depend on the travel services being provided. The relevant travel service providers will in most cases  receive your personal information in the country in which they will provide the services to you or in  which their business or management is based.

(c) Our third-party service providers located overseas We may also disclose your personal information to third-parties located overseas for the purpose of  performing services for us, including the storage and processing of such information. Generally, we  will only disclose your personal information to these overseas recipients in connection with facilitation  of your travel booking and/or to enable the performance of administrative and technical services by  them on our behalf.

(d) China cyber security law requirements Personal information which is collected and generated within the territory of the People's Republic  of China shall only be transferred outside this territory for business reasons or other authorized  reasons. These include the following situations:

d.1. where the international transfer is required or authorized by the traveler; 

d.2. when you use our platforms or online booking tools to book overseas hotels, airlines, and  travel related services or products; 

d.3. to provide reports, analytics, and dashboards of your travel to your employer for activities  comprising their business travel programme as part of contracted travel services; or 

d.4. to otherwise fulfil the purposes set out in section 5 above. 

If you wish to make a Subject Access Request to:

● access, update, modify, rectify, erase, object to, or obtain a copy of the personal information  that we hold on you; or 

● restrict or stop us from using any of the personal information which we hold on you, including  by withdrawing any voluntary consent you have previously given to the processing of such  information; or 

● where any personal information has been processed on the basis of your voluntary consent  or as necessary to perform a contract to which you are a party, request a copy of such  personal information in a suitable machine-readable format or have that personal  information transmitted by us to another controller, 

you can request this by contacting us as set out in section 15 below. You will receive  acknowledgement of your request. 

We will always process your requests within the timeframes set by applicable privacy laws. Please  note we reserve the right to extend this period for complex requests or as otherwise permitted by  applicable law. 

We reserve the right to deny your access for any reason permitted under applicable laws. Such  exemptions may include national security, corporate finance and confidential references. If we deny  access or correction, we will provide you with written reasons for such denial unless it is  unreasonable to do so and, where required by local data protection laws, will note your request and  the denial of same in our records.  

You have the right to lodge a complaint with a relevant supervisory authority. 

Further correspondence regarding your request should only be made in writing to the applicable Data Protection Team as set out in section 15 below.  

You must always provide accurate information and you agree to update it whenever necessary. You  also agree that, in the absence of any update, we can assume that the information submitted to us  is correct, unless we subsequently become aware that it is not correct. 

You can at any time tell us not to send you marketing communications by email by clicking on the  unsubscribe link within the marketing emails you receive from us or by contacting us as indicated  below (section 15). 

In any of the situations listed above, we may request that you prove your identity by providing us  with a copy of a valid means of identification in order for us to comply with our security obligations  and to prevent unauthorised disclosure of personal information. 

To the extent permissible by law, we reserve the right to charge you a reasonable administrative  fee for any manifestly unfounded or excessive requests concerning your access to your personal  information, and for any additional copies of the personal information you request from us. 

This section pertains only to the processing of personal data by us that falls specifically within the scope of the Singapore Personal Data Protection Act (“PDPA”). 

Where voluntary consent to the processing of personal data has not been obtained, we will collect, use and disclose personal data pursuant to an exception under the PDPA or as required/authorised under any other written law. 

Upon receipt of a written request to withdraw your voluntary consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences (including any legal consequences which may affect your rights and liabilities to us) of us completing this request. We will never delay our processing of such requests, and in any event will process them in accordance with the timelines set by the PDPA.

Our websites and mobile applications may use social media features and widgets (such as “Like” and “Share” buttons/widgets) (“SM Features”). These are provided and operated by third-party companies (e.g., Facebook) and either hosted by a third-party or hosted directly on our website or mobile application. SM Features may collect information such as the page you are visiting on our website/mobile application, your IP address, and may set cookies to enable the SM Feature to function properly.  

If you are logged into your account with the third-party company, then the third-party may be able to link information about your visit to and use of our website or mobile application to your social media account with them. Similarly, your interactions with the SM Features may be recorded by the third-party. In addition, the third-party company may send us information in line with their policies, such as your name, profile picture, gender, friend lists and any other information you have chosen to make available, and we may share information with the third-party company for the purposes of serving targeted marketing to you via the third-party social media platform. You can manage the sharing of information and opt out from targeted marketing via your privacy settings for the third party social media platform. 

Your interactions with these SM Features are governed by the privacy policy of the third-party company providing them. For more information about the data practices of these third-party companies, and to find out more about what personal information is collected about you and how the third-party uses such personal information, please refer to their privacy policy directly. 

Our websites may contain links to third-party websites over which we have no control. We are not responsible for the privacy practices or the content of such websites. We encourage you to read the privacy policies of any linked third-party websites you visit as their privacy policy and practices may differ from ours.

You can direct any questions or complaints about the use or disclosure of your personal information to the contact information below.

Wherever you are in the world, if you wish to make a Subject Access Request to inform us of a change or correction to your personal information, request a copy of the information we collect on you, request deletion of your information or would like to restrict the further processing of your data,  please use the Subject Access Request Link below. We will respond to these requests within the time period required by the applicable jurisdiction. 

Global Subject  

Access Requests

Submit Request

Similarly, if you have any enquiries, comments or complaints about this Notice or our handling of  your personal information, please contact your consultant or the Data Protection Team using the  details set out below and we will respond as soon as practicable. 

Cross Hotels & Resorts

Contact and Complaints under the EU-U.S. Data Privacy Framework

In accordance with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and the UK Extension to the EU-U.S. DPF, Cross Hotels and Resorts and its corporate brands are committed to resolving complaints relating to the collection and use of personal data transferred in reliance on the EU-U.S. DPF and the UK Extension.

Individuals located in the European Union or the United Kingdom who have enquiries or complaints regarding our handling of personal data transferred under the EU-U.S. DPF or the UK Extension should, in the first instance, contact our Data Protection Team using the details below:

Data Protection Team

Cross Hotels and Resorts

10/125 The Trendy Building, Floor 11

Soi Sukhumvit 13, Sukhumvit Road

Klongtoey Nue, Wattana

Bangkok 10110, Thailand

Email: dataprotection@crosshotelsandresorts.com

We will investigate and seek to resolve complaints in accordance with the principles of the EU-U.S. DPF and the UK Extension. 

We may amend this Notice from time to time. If we make a change to the Notice, the revised version will be posted on our website. We will post a prominent notice on our website to notify you of any significant changes to our Notice and indicate at the end of the Notice when it was most recently updated. It is your responsibility, and we encourage you, to check the website from time to time in  order to determine whether there have been any changes.

This Privacy Notice was last updated on Dec 2025